I’m redesigning our access control structure in Zoho CRM and trying to decide between using custom roles versus profiles for our account management team. We have a complex hierarchy where account managers need different levels of access based on account tier, region, and customer type. Some managers handle enterprise accounts and need full access, while others manage SMB accounts with limited data visibility.
From what I understand, profiles control what users can do with modules, while roles control what records they can see. But I’m unclear on best practices - should I create multiple profiles for different account manager types, or use a single profile with multiple custom roles? What’s the most maintainable approach for ongoing security audits?
The key is understanding the permission inheritance model. Profiles define the ceiling of what’s possible - module access, field permissions, actions. Roles then restrict data visibility within those boundaries through the role hierarchy. For account management, I’d recommend one profile per functional job type with multiple roles for organizational hierarchy. This makes security audits much cleaner because you’re auditing two separate concerns.
Consider your scaling needs too. If you’re growing the team, roles scale better. Adding a new regional manager? Just assign them to the existing regional manager role. With profile-heavy approaches, you often end up cloning profiles and creating sprawl. We have 45 users across 6 profiles but 18 roles, and the role structure is way easier to explain to new admins.
After implementing access control for dozens of Zoho CRM instances, here’s the framework that works best:
Access Control Best Practices:
Use Profiles For:
-
Functional capabilities (what users can DO)
- Module access (Accounts, Contacts, Deals)
- Field-level permissions (view/edit specific fields)
- Action permissions (create, edit, delete, export)
- Feature access (reports, dashboards, mass operations)
-
Job function categories
- Account Manager profile
- Sales Representative profile
- Sales Manager profile
- Account Executive profile
Use Roles For:
-
Data visibility (what records users can SEE)
- Organizational hierarchy
- Regional structure
- Team structure
- Account tier segmentation
-
Record ownership and access
- Who can see whose records
- Hierarchical data access
- Subordinate visibility
For Your Scenario:
Create 2-3 profiles based on functional needs:
- Account Manager (Standard): Full account/contact access, limited deal editing
- Account Manager (Senior): Full account/contact/deal access, bulk operations
- Account Manager (Executive): Everything above plus reporting, data export
Then create roles for your access hierarchy:
- Enterprise Account Managers (see all enterprise accounts)
- SMB Account Managers (see only SMB accounts)
- Regional Managers (see all accounts in their region)
- VP Sales (see everything)
Security Audit Advantages:
Role-based access control is superior for audits because:
- Clear data lineage: “Show me who can access customer financial data” = check roles assigned to sensitive account tiers
- Simpler compliance reporting: Role membership reports vs complex profile permission matrices
- Easier access reviews: Review role assignments quarterly vs reviewing profile configurations
- Better segregation of duties: Roles naturally map to organizational structure
Maintenance Strategy:
-
Document your access control model:
- Profile = job function capabilities
- Role = organizational data access
- Sharing rules = exceptions and collaborations
-
Quarterly review process:
- Review role assignments for accuracy
- Audit profile permissions against job descriptions
- Check sharing rules for business justification
-
Naming conventions:
- Profiles: “AccountMgr_Standard”, “AccountMgr_Senior”
- Roles: “Enterprise_AccountMgr”, “SMB_AccountMgr_West”
- Makes the structure self-documenting
Common Pitfalls to Avoid:
- Don’t create profiles for every variation - you’ll end up with 20+ profiles that are 95% identical
- Don’t use roles to grant capabilities - that’s what profiles are for
- Don’t forget that role hierarchy means subordinates see manager records by default
- Don’t mix concerns - keep functional permissions (profiles) separate from data access (roles)
The cleanest implementations I’ve seen use 4-6 profiles covering all job functions, with 15-25 roles mapping the organizational hierarchy. This provides flexibility while remaining auditable and maintainable. Your security audits become straightforward: verify profile assignments match job functions, verify role assignments match org structure, and document any sharing rule exceptions.